Description of problem:
NOTE: my stack is named "sweatpants" here
Running the tripleo.fernet_keys.rotate_fernet_keys workflow from the undercloud as such:
openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{"container": "sweatpants"}'
Will fail if your cloud is not named "overcloud"
Version-Release number of selected component (if applicable):
How reproducible:
100%
Steps to Reproduce:
1.Deploy a cloud named something other than "overcloud" (such as "sweatpants")
2.try rotate your fernet decrypt keys on the controllers with
openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{"container": "sweatpants"}'
3. look at the output of the workflow after a minute or so
openstack workflow execution output show <workflow id>
Actual results:
Look at your ferent keys in the contain from the controller node, notice that they haven't changed:
docker exec -ti keystone ls -l /etc/keystone/fernet-keys
'
Check the actual workflow output, you'll see something like the following:
{
"status": "SUCCESS",
"message": {
"stderr": "\nPLAY [keystone] ****************************************************************\nskipping: no hosts matched\n\nPLAY RECAP *********************************************************************\n\n",
"stdout": " [WARNING]: Could not match supplied host pattern, ignoring: keystone\n"
}
}
The only way to get this working, is the following:
openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{ "container": "sweatpants", "ansible_extra_env_variables": { "TRIPLEO_PLAN_NAME": "sweatpants", "ANSIBLE_HOST_KEY_CHECKING": "False" }}'
Note, additionally, that we have to pass the ANSIBLE_HOST_KEY_CHECKING variable because this gets overwritten by the workflow and isn't picked up if the plan name is the only variable passed into the workflow.
Expected results:
Expect to have rotated keys on all controller nodes
Additional info:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2018:2331